Privacy Policy

Effective Date: February 6, 2026
Last Updated: February 6, 2026

SRL MACCUS (“we,” “us,” or “our”) operates HitchHive, a hitchhiking and travel social application available on iOS and Android (the “App”), as well as the website https://hitchhive.app (the “Website”). Together, the App and the Website are referred to as the “Service.”

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Belgian Data Protection Act of 30 July 2018, and other applicable data protection laws.

Please read this Privacy Policy carefully. By using our Service, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please do not use the Service.

1. Data Controller

The data controller responsible for your personal data is:

SRL MACCUS
VAT: BE 1005.438.850
Email: maccus@marcwiner.com
Website: https://hitchhive.app

We have not appointed a Data Protection Officer (DPO) as our processing activities do not meet the threshold requiring mandatory DPO appointment under Article 37 of the GDPR. For all privacy-related inquiries, please contact us at the email address above.

2. Personal Data We Collect

2.1 Data You Provide Directly

When you create an account and use our Service, you may provide the following personal data:

Account Information: Name, email address, and password (or third-party authentication credentials such as Apple ID or Google account).
Profile Information: Profile photo, biography, travel preferences, and any other information you choose to add to your profile.
User-Generated Content: Posts, comments, travel stories, ride requests, ride offers, and other content you create or share through the Service.
Communications: Messages you send to other users through the Service, and any communications you send to us (e.g., support requests, feedback).

2.2 Data Collected Automatically

When you use our Service, we automatically collect certain data, including:

Location Data: With your explicit consent, we collect precise GPS location data (latitude and longitude coordinates) when you use location-based features such as posting your hitchhiking position or finding nearby rides. We may also collect approximate location data derived from your IP address. See Section 5 for more details on location data.
Device Information: Device type, operating system and version, unique device identifiers, device language, and time zone.
Usage Data: Information about how you interact with our Service, including features used, pages viewed, actions taken, time and duration of use, and interaction patterns.
Log Data: IP address, browser type, access times, referring URLs, and crash or error reports.

2.3 Data from Third-Party Sources

If you register or log in using a third-party authentication service (such as Apple ID or Google), we receive basic profile information from that service, such as your name and email address, in accordance with the permissions you grant.

3. Purposes and Legal Basis for Processing

We process your personal data for the following purposes, each with a corresponding legal basis under Article 6 of the GDPR:

Purpose	Legal Basis
To create and manage your account	Performance of contract (Art. 6(1)(b))
To provide core Service features (ride matching, user profiles, messaging)	Performance of contract (Art. 6(1)(b))
To process and manage subscriptions and payments	Performance of contract (Art. 6(1)(b))
To collect and display your precise location for hitchhiking features	Consent (Art. 6(1)(a))
To send you service-related communications (e.g., account notifications, security alerts)	Performance of contract (Art. 6(1)(b))
To improve and develop the Service, perform analytics, and fix bugs	Legitimate interest (Art. 6(1)(f)) — our interest in improving service quality and user experience
To ensure security, prevent fraud, and enforce our terms	Legitimate interest (Art. 6(1)(f)) — our interest in maintaining a safe and secure platform
To comply with legal obligations (e.g., tax, regulatory requirements)	Legal obligation (Art. 6(1)(c))
To respond to your support requests and inquiries	Performance of contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f))

Where we rely on legitimate interest as the legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may contact us to obtain more information about these assessments.

4. Sharing and Disclosure of Personal Data

4.1 With Other Users

Certain information you provide is visible to other users of the Service, including your profile name, profile photo, and any content you post publicly (such as ride requests, ride offers, and travel stories). If you use location-sharing features, your location may be visible to other users in accordance with your settings.

4.2 With Service Providers (Data Processors)

We share personal data with the following third-party service providers who process data on our behalf:

Supabase, Inc. — Provides our backend infrastructure, including database hosting, user authentication, and file storage. Supabase processes account information, profile data, user-generated content, and location data. We have entered into a Data Processing Agreement (DPA) with Supabase that includes Standard Contractual Clauses (SCCs) for international data transfers. Our Supabase instance is hosted in the EU (Frankfurt, Germany).
RevenueCat, Inc. — Manages in-app subscriptions and payment processing. RevenueCat processes subscription status, purchase history, transaction identifiers, and device identifiers necessary to manage your subscription. We have entered into a DPA with RevenueCat. RevenueCat’s privacy practices are described in their privacy policy at revenuecat.com/privacy.
Amazon Web Services (AWS) — Provides the underlying cloud infrastructure on which Supabase operates. AWS processes data as a sub-processor. International data transfers are covered by the EU-US Data Privacy Framework adequacy decision and Standard Contractual Clauses.

4.3 For Legal Reasons

We may disclose your personal data if required to do so by law, or if we believe in good faith that such action is necessary to:

Comply with a legal obligation, court order, or regulatory request.
Protect and defend our rights or property.
Prevent or investigate possible wrongdoing in connection with the Service.
Protect the personal safety of users of the Service or the public.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice within the Service before your data is transferred and becomes subject to a different privacy policy.

4.5 No Sale of Personal Data

We do not sell your personal data to third parties. We do not share your personal data with third parties for their own marketing purposes.

5. Location Data

Given the nature of our Service, location data plays a central role. Here is how we handle it:

What we collect: Precise GPS coordinates (latitude and longitude) when you actively use location-based features, and approximate location derived from your IP address.
When we collect it: Location data is collected only when you actively grant permission and use location-related features (e.g., posting your hitchhiking spot, browsing nearby rides). We do not continuously track your location in the background unless you have explicitly enabled this feature.
How we use it: To display your position on the map to other users, to facilitate ride matching, and to show you relevant nearby rides or hitchhiking spots.
Who can see it: Other users of the Service can see your shared location when you use location-based features. Our service providers (Supabase) have technical access to location data for hosting and infrastructure purposes.
How long we keep it: Active location data is retained for as long as your account is active. Historical location data associated with past rides or posts is retained until you delete the associated content or your account.
Your control: You can enable or disable location services at any time through your device settings (Settings > Privacy > Location Services on iOS, or Settings > Location on Android). You can also manage location-sharing preferences within the App. Disabling location services may limit certain features of the Service.

Legal basis: We process your precise location data based on your explicit consent (Art. 6(1)(a) GDPR), obtained through the device-level permission prompt and in-app settings. You may withdraw this consent at any time by disabling location services on your device or in the App settings.

6. International Data Transfers

Our primary data infrastructure (Supabase) is hosted in the European Union (Frankfurt, Germany). However, some of our service providers are based in the United States. When personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

EU-US Data Privacy Framework: Where applicable, we rely on the European Commission’s adequacy decision for the EU-US Data Privacy Framework (adopted July 10, 2023) for transfers to certified US organizations.
Standard Contractual Clauses (SCCs): We have entered into Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with our service providers to ensure an adequate level of data protection for any transfers outside the EU/EEA.

You may request a copy of the safeguards we have put in place by contacting us at the email address provided above.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Data Category	Retention Period
Account information (name, email)	Duration of account + 30 days after deletion request
Profile information and user-generated content	Duration of account; deleted upon account deletion
Location data	Duration of account; deleted upon account deletion
Messages between users	Duration of account; deleted upon account deletion
Subscription and payment records	7 years after the transaction (Belgian tax and accounting obligations)
Device and usage data (analytics)	26 months from collection
Log data (IP addresses, access logs)	12 months from collection
Support correspondence	3 years after resolution

When data is no longer needed, we securely delete or anonymize it. Certain data may be retained for longer periods if required by law or necessary for the establishment, exercise, or defense of legal claims.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS/SSL.
Encryption of data at rest in our database systems.
Row-Level Security (RLS) policies in our database to ensure users can only access their own data.
Secure authentication mechanisms, including support for third-party authentication providers (Apple ID, Google).
Regular security assessments and updates.
Access controls limiting employee and contractor access to personal data on a need-to-know basis.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining and continuously improving our security practices.

9. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the data has been unlawfully processed, among other grounds. See Section 10 for details on account and data deletion.
Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
Right to Object (Art. 21): You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right Not to Be Subject to Automated Decision-Making (Art. 22): We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

How to Exercise Your Rights

To exercise any of these rights, please contact us at maccus@marcwiner.com. We will respond to your request within one month of receipt. In complex cases or where we receive a large number of requests, this period may be extended by a further two months, in which case we will inform you of the extension and the reasons for it within the first month.

We may need to verify your identity before processing your request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

10. Account and Data Deletion

You can delete your account and associated personal data at any time:

In the App: Navigate to your account settings and select the account deletion option.
On the Web: Visit our account deletion page at https://hitchhive.app/delete-account/ and follow the instructions provided.
By Email: Send a deletion request to maccus@marcwiner.com.

Upon receiving a valid deletion request, we will:

Delete your account and associated personal data within 30 days.
Notify our data processors (Supabase, RevenueCat) to delete your data from their systems.
Send you a confirmation once the deletion is complete.

Certain data may be retained after account deletion where we are legally required to do so, including financial transaction records (retained for 7 years under Belgian tax law) and any data necessary for the establishment, exercise, or defense of legal claims.

11. Cookies and Tracking Technologies

Our Website may use cookies and similar tracking technologies to enhance your experience.

Types of Cookies We Use

Essential Cookies: Necessary for the Website to function properly (e.g., session management, security). These do not require consent.
Analytics Cookies: We use Google Analytics to understand how visitors interact with our Website. Google Analytics uses cookies to collect information about website usage, including pages visited, time spent, and traffic sources. This data is aggregated and anonymized where possible.

Managing Cookies

You can manage or disable cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of the Website. For more information about how Google uses data from sites that use Google Analytics, visit Google’s Partner Sites page.

Do Not Track

Our Service does not currently respond to “Do Not Track” browser signals. However, you can manage your privacy preferences through the controls described in this policy.

12. Third-Party Services and Links

Our Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our Service.

The App integrates with the following third-party services:

Apple Sign In / Google Sign In: For account authentication. Subject to Apple’s and Google’s respective privacy policies.
Apple App Store / Google Play Store: For app distribution and subscription billing. Subject to Apple’s and Google’s respective privacy policies.

13. Children’s Privacy

Our Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children under 18. Given the nature of our Service — which involves hitchhiking and meeting other travelers in person — we require all users to be at least 18 years old.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data as quickly as possible. If you believe that we may have collected data from a person under 18, please contact us immediately at maccus@marcwiner.com.

14. Data Provision and Consequences

Providing your personal data is not a statutory requirement. However, certain personal data is necessary to enter into and perform our contract with you (i.e., to provide the Service). Specifically:

Required data: Name and email address are required to create an account and use the Service. Without this data, we cannot provide you with access to the Service.
Optional data: Profile photo, biography, and location data are optional. You may use the Service without providing this data, although some features (particularly location-based features) will be limited.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the “Last Updated” date at the top of this policy.
Notify you by email or through a prominent notice in the App or on the Website prior to the changes taking effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

16. Supervisory Authority and Complaints

If you believe that our processing of your personal data infringes the GDPR or other applicable data protection laws, you have the right to lodge a complaint with a supervisory authority.

The competent supervisory authority for HitchHive is:

Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit)
Rue de la Presse 35 / Drukpersstraat 35
1000 Brussels, Belgium
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.dataprotectionauthority.be

You also have the right to lodge a complaint with the supervisory authority of the EU/EEA member state in which you reside or work, or in which the alleged infringement took place.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

SRL MACCUS
Email: maccus@marcwiner.com
Website: https://hitchhive.app

We aim to respond to all inquiries within 30 days.